Composer Packages in Prod Environment

Hi guys. I am just getting grounded with Composer (having never really used it before). I was just wondering what is best practice in terms of implementing the vendor directory within your production environment.

Do you guys just add it to the base root of your site e.g. /home/hostname/appname/public_html/vendor


That’s the convention, and composer will do that automatically if you just leave your manifest in your project root like they suggest.

A more secure approach used by some frameworks is to have a public folder that contains the web accessible endpoints of your project and serves as your web root. composer.json and vendor then live above this folder. This slightly complicates your deployment as you now have to have permission to replace your web root, but prevents attackers from easily accessing your dependencies.

My host does provide a private_html directory that is a peer of public_html (see img). This is actually where I put my database include.


It would be good practice then to sit the composer vendor directory in here as well, and reference it from within public_html?


That would be a more secure approach, yes. You shouldn’t have to reference it directly; you can just point your autoloader at the directory by messing with the autoload property in your composer.json manifest.

Gotcha. Thank you for the response.

I’ll play about with that this evening and hopefully all will go smoothly.


A website that I go to sometimes (especially when setting up a new project) is

I really like composer as it takes away all the mundane tasks that you would have to do.

Sponsor our Newsletter | Privacy Policy | Terms of Service